Denial of Service

Web Security.

Servers have limits. CPU, memory, bandwidth, open connections, file descriptors. A Denial of Service (DoS) attack doesn't steal anything or run code, it just burns those limits until the service stops keeping up with real users.

Sometimes that's a flood of traffic. Other times it's one cheap request that costs the server a lot. When many machines pitch in, it becomes a Distributed Denial of Service (DDoS).

This module walks through how availability breaks and how small inefficiencies turn into full outages.

A Denial of Service attack doesn't always need a flood of traffic. Sometimes one well-placed request is enough to keep a server from doing anything else.

In this challenge, the server runs one worker with one thread. While that worker is busy with a request, no one else gets in.

Your goal is to keep the server from responding to its own watchdog.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

The obvious fix for a busy server is more workers, so this one runs 32 of them, each its own process, handling requests in parallel.

But each worker is still synchronous: one request at a time, start to finish. More lanes don't help if every lane is single-file.

Same goal as before: knock the server offline.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

This server has a new endpoint: POST /log. It accepts JSON, and the handler reads the entire body before doing anything with it.

There's no cap on the request size. Whatever you send, the server has to hold somewhere, and memory isn't infinite. When a process runs out, it can't keep responding.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

The server now runs one worker with 64 threads. Threads share the same process, so requests can be handled concurrently without spinning up new processes for each one.

But concurrency only goes as far as the resources behind it. Threads still share the same disk, the same file descriptors, the same I/O. If the underlying work is expensive enough, more threads just means more contention.

The same POST /log endpoint is here.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Up until now, every challenge gave you something to make the server do: parse a body, decompress, run a regex, write to disk. This one doesn't.

The server runs one worker with 4 threads. The only endpoint is /health. There's no body, no parsing, no computation. From inside the handler, there is nothing slow to trigger.

But every connection still has to be read before it can be served. While a thread is waiting on bytes from the socket, it can't do anything else.

You don't need to ask the server to do anything. You just need to refuse to finish talking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Every challenge before this one gave you a way to talk to the server. This one doesn't.

The server is up. The watchdog can reach it. You can't. Your traffic on port 443 is dropped before it ever leaves your shell. There is no payload to send, no body to oversize, no header to drip. The HTTP attack surface is closed to you.

But you and the server are still roommates. You share the same CPU, the same memory, the same disk, the same kernel. You can run whatever you want as your own user.

You don't need to attack the service. You need to be a bad neighbor.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank		Hacker	Badges		Score